Snoops can identify Tor users given enough time, experts say

A recent academic paper (PDF) shows “that Tor faces even greater risks from traffic correlation than previous studies suggested.” In other words, one of the world’s best tools for keeping online speech anonymous is at risk in a previously known—but now even clearer—fashion.

In the wake of a recent uptick of Tor usage (whether from a botnet or from people inspired by former National Security Agency [NSA] contractor Edward Snowden), a reminder of these risks is certainly germane to today’s Internet.

The new research has shown that a potential adversary with control of Internet Exchange Points (IXPs) or autonomous systems (ASes) that have large-scale network control (like an ISP), could expose and identify a Tor user, given enough time.

That could include a nation in which the Internet is state-controlled, like Iran, or a vast telecommunications company like Level 3, but it could also certainly include a very sophisticated adversary with significant technical and legal resources on its side, like the NSA.

“Essentially what we’re saying is location matters,” Chris Wacek, a researcher at Georgetown University and one of the paper’s authors, told Ars.

“If you are a user connecting from Iran and you’re connecting to a destination in Iran, you can plausibly assume that the Iranian government knows who you are. If you have a concern that that type of entity might pose an adversarial threat to you, then you should be aware that they may be able to compromise you given a long enough period of time, even if you’re using Tor.”

Essentially, an adversary can simply wait long enough so that your traffic will turn up on their own network points that are also on the Tor network. Given more time and more traffic, there is greater likelihood that an adversary can figure out who you are.

“If you use Tor as a casual user, your security isn’t going to go down dramatically”

Specifically, a group of five researchers at Georgetown University and the Naval Research Laboratory—the arm of the Navy that originally developed Tor—explained it this way:

An adversary that provides no more bandwidth than some volunteers do today can deanonymize any given user within three months of regular Tor use with over 50 percent probability and within six months with over 80 percent probability. We observe that use of BitTorrent is particularly unsafe, and we show that long-lived ports bear a large security cost for their performance needs. We also observe that the Congestion-Aware Tor proposal exacerbates these vulnerabilities.

Some of our results against an adversary controlling ASes or IXPs are similarly alarming. Some users experience over 95 percent chance of compromise within three months against a single AS or IXP. We see that users’ security varies significantly with their location. However, an adversary with additional ASes or IXPs has much higher compromise speed, notably against even those users in “safer” locations. Such an adversary is highly relevant in today’s setting in which many large organizations control multiple ASes or IXPs. Surprisingly, we observe that high diversity in destinations may actually result in improved security against a network adversary.

The folks behind Tor have said that they have long been aware of this vulnerability.

“Yes, a big enough adversary can screw Tor users,” Roger Dingledine, the project’s director, wrote on a Tor e-mail list earlier this week. “But we knew that. I think it's great that the paper presents the dual risks of relay adversaries and link adversaries, since most of the time when people are freaking out about one of them, they're forgetting the other one. And we really should raise the guard rotation period. If you do their compromise graphs again with guards rotated every nine months, they look way different."

But that doesn’t mean that everyone should necessarily disconnect from Tor, Wacek added.

“What our research shows is that [if] an adversary who is powerful like the NSA is paying attention to you—and is looking for you and trying to deanonymize you—[they are] likely to be able to do it if they have access to the right network locations and the right resources,” he said. “If you use Tor as a casual user, your security isn’t going to go down dramatically. I think what we’re showing is that for a certain type of user, potentially a dissident who always uses Tor to avoid being captured, this may be a significant concern for them. If you don’t want your employer to know that you’re searching for health information and are worried about your health insurance going up, it’s probably not a concern.”

The paper will be formally presented at a computer science conference in Berlin in November 2013.